[plug] Advanced IPSec routing
Steve Baker
steve at iinet.net.au
Mon Oct 10 14:38:07 WST 2011
On 10/10/11 13:14, Andrew Cooks wrote:
> On Mon, Oct 10, 2011 at 6:34 AM, Steve Baker<steve at iinet.net.au> wrote:
>> I think that the problem is that B decides that packets going to network E
>> do not go through an IPSec tunnel (as E is not connected to the gateway B
>> system, directly or via IPSec) then by the time the new routing rule above
>> says 'send it to gateway C' it is too late to go through any IPSec tunnels.
> Hi Steve
>
> I think you need to set the route in ipsec on gateway B with something like:
> # ipsec eroute --add --eraf inet --src A.A.A.A/24 --dst E.E.E.E/24 --said %pass
>
> I hope that helps and good luck.
>
> Andrew
Hi Andrew,
Thanks for the suggestion, however my system uses NETKEY stack instead
of KLIPS, which means the 'ipsec eroute' command doesn't work. (Although
it also doesn't complain when I run the command).
Apparently I should use 'ip xfrm' commands, but there is little
documentation of that and I can't tell if it just sets up the SA
policies or if it also does routing. Also can't figure out how to use
that command to make it route first then choose an IPSec tunnel second.
Regards,
Steve
More information about the plug
mailing list